Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1514163
Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.
Description of problem: FIPS enabled rhel 7.4 server Customer is trying to install IPA server with externally signed certs, and it fails with below error. 2017-10-31T18:26:34Z DEBUG The ipa-server-install command failed, exception: ScriptError: No server certificates found in /etc/pki/Identity_Management/temp/knoidm01-http-Complete.cer, /etc/pki/Identity_Management/BA-CA02.org.test_ForestDV01.crt But when tested after disabling FIPS mode installation succeeded. Version-Release number of selected component (if applicable): How reproducible: On RHEl with fips always. Steps to Reproduce: 1. Configure the server in fips mode (https://access.redhat.com/solutions/137833) 2. Obtain server certificates for LDAP and HTTP server (for instance using makepki.sh tool available at https://github.com/freeipa/freeipa-tools) 3. run ipa-server-install --http-cert-file=server.crt --http-cert-file=server.key --dirsrv-cert-file=server.crt --dirsrv-cert-file=server.key --external-cert-file=ca.crt --no-pkinit ... Actual results: The installation fails. Expected results: ipa-server-install should succeed. Additional info: The workaround is to provide a p12 file instead of the cert/key files: openssl pkcs12 -export -out server.p12 -inkey server.key -in server.crt -certfile ca.crt and use this p12 in ipa-server-install: ipa-server-install --http-cert-file=server.p12 --dirsrv-cert-file=server.p12 --no-pkinit ...
Metadata Update from @frenaud: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1514163
Metadata Update from @frenaud: - Issue assigned to frenaud
Metadata Update from @frenaud: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/1333
Metadata Update from @frenaud: - Issue set to the milestone: FreeIPA 4.5.5 (was: FreeIPA 4.6)
master:
ipa-4-6:
ipa-4-5:
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.